Fix reportedly coming for iOS photo uploading loophole

It's not just your iOS address book that can be uploaded to a remote server …

A loophole within iOS that allows developers to surreptitiously upload users' photos and location data without their knowledge may soon have a fix. The Verge reported on Tuesday evening that its sources said Apple is aware of the bug and is "likely planning a fix" as part of an upcoming update to iOS.

The loophole first came to light earlier this month when various sites began reporting on different aspects of the bug. A couple of weeks ago, following the Path address-book-uploading controversy, 9to5 Mac pointed out that iOS developers not only have access to your entire contacts database—they also have access to your photos, music, movies, calendars, and more with their associated geotags.

The New York Times then published its own investigation into the matter earlier this week by having an anonymous developer create an app to test the loophole. As long as the user grants permission for the app to access a particular kind of information, such as photos with location data attached, those photos can begin to be siphoned to a remote server without the user's knowledge or permission.

Apple released a statement shortly after the Path controversy saying it was planning a future software release that would force developers to ask for explicit permission before uploading user data. Since the address book behavior is the same as that with photos and other data, it indeed seems very likely that the Verge's sources are correct and upcoming fix will address all of those issues at once. In the meantime, if you're a C-level celebrity who's afraid of your photos being siphoned and mapped out by a crazed fan, do what I do: go into your Settings > Location Services and turn off location services for the Camera app. It helps—a little.

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui

23 Reader Comments

Fear and caution is part of the human condition. It's what kept us alive as a species . We wouldn't be here if our ancient brethren just strolled around and whistled a tune through the African savannah now would we? Fear and the conveyance of fear is part of who we are. It's hardwired.

Well, it would be annoying to have all of those naked sexy pictures of yourself making a duck face suddenly appear on Tumblr. A good solution of course is not to take pictures of yourself in various states of undress making duck faces.

While there are times where it seems reasonable to be anxious that someone is stalking you, it appears that, except for 'celebrities', this should be a very low class of fear. However, having know some over-weight women, I have heard one, at least, express fears about 'getting undressed in public dressing rooms'. What HAS this world come to? There are issues on BOTH sides. How fearful SHOULD we be? Should people be doing the sort of thing which so many people now fear will happen? It is sad for both sides.

Just so you know.. poeple take naked pictures of themselves. How shocking, amirite?

Unscroupulous websites have been exploiting photobucket and other photo sharing site for years. Where do you think most of the "self shot" nude photos come from? Google "quip hack".

Fear and caution is part of the human condition. It's what kept us alive as a species.

True enough, but this doesn't change the fact that some fears are completely unjustified. It doesn't change the fact that manufactured fear has always been used by the rich and powerful to control the behavior of the masses. Saying "fear is normal" is a gross over-simplification of a complex subject.

I'm not sure its correct to call it either a loop hole or a bug. These aren't secret APIs in the SDK. These are well documented features/APIs available to the developer.

I know when I made Who Wants To Be A Millionaire, I went through your entire address book for contacts with photos so you could "Phone a Friend". That game doesn't transfer any data at all (the original one for iPhone, I cant speak for any future versions) so its not like I was doing anything malicious with it.

Could make a game that plays over top of photos from your picture gallery. (Which could make for wierd, odd or plain inappropriate backgrounds)

I'm not advocating that as a developer I should have easy access, or shouldn't need to ask for permission. But currently, I'm not doing some black magic to go through a loophole and getting access. I'm given access and choose either to take advantage or not.

Well, it would be annoying to have all of those naked sexy pictures of yourself making a duck face suddenly appear on Tumblr. A good solution of course is not to take pictures of yourself in various states of undress making duck faces.

No, there's got to be another way. People want to take naked pictures of themselves with their smartphone AND have 10 social apps on their phone at the same time. Is that so wrong?

Apple needs to list ALL of the Apps that have downloaded contacts and now photos without the users permission. This information is needed so the developers that downloaded data can be sued to death. Screw the devs that did so, I hope they lose all of their money and go bankrupt. So much for Apple's "Walled Garden".

These things are blown WAY out of proportion... The applications you're running on your desktop/laptop computer have access to EVERYTHING in your home folder and everything else your user account has access to. There has always been a level of trust between developer and user. Apple can't be blamed for giving developers read access to data and then having some developer abuse that access.

Hasn't Microsoft been down this road of constant verification when Vista was released?

These things are blown WAY out of proportion... The applications you're running on your desktop/laptop computer have access to EVERYTHING in your home folder and everything else your user account has access to. There has always been a level of trust between developer and user. Apple can't be blamed for giving developers read access to data and then having some developer abuse that access.

Apple CAN be blamed though for coupling photo access permissions to location access permissions without telling the user. Just because I may give an app access to my location doesn't mean I want to give it access to my photos and vice versa.

These things are blown WAY out of proportion... The applications you're running on your desktop/laptop computer have access to EVERYTHING in your home folder and everything else your user account has access to. There has always been a level of trust between developer and user. Apple can't be blamed for giving developers read access to data and then having some developer abuse that access.

Apple CAN be blamed though for coupling photo access permissions to location access permissions without telling the user. Just because I may give an app access to my location doesn't mean I want to give it access to my photos and vice versa.

But there is no such thing as photo access permissions, there never has been. Its been open access since the first SDK release. Hell, that open access to the camera folder was actually used as a hack for apps to transfer documents from your phone to your PC. Save to that DCIM folder that the developer and user has access to, and read it from a PC app for a 'seamless' data transfer.

So it is in fact the very same thing as Windows and Mac OSX development, you never had to ask for permission before to access anything in a users 'documents' folder. Its also the same as ANDROID too.

I need permission to write to external storage (sd card) but I dont need permission to read from it, so your camera images are available there too. I do need permission to read from your contacts, calender and location information, and using your camera but photos or pictures aren't listed anywhere.Although on Android, I do need permission to send/receive network data, so you are giving me permission to send whatever I want to send/receive.

These things are blown WAY out of proportion... The applications you're running on your desktop/laptop computer have access to EVERYTHING in your home folder and everything else your user account has access to. There has always been a level of trust between developer and user. Apple can't be blamed for giving developers read access to data and then having some developer abuse that access.

Apple CAN be blamed though for coupling photo access permissions to location access permissions without telling the user. Just because I may give an app access to my location doesn't mean I want to give it access to my photos and vice versa.

But there is no such thing as photo access permissions, there never has been. Its been open access since the first SDK release.

So why can't an App access my photos if I don't allow it to access my location?

Wait... so what you're saying is that "as long as the user grants permission for the app to access a particular kind of information" developers can access and use it? That's insane.

LOCATION information is what the permissions prompt is for, not access to the actual image and video contents. If you're going insult people by being sarcastic, at least think a bit first.

I'd give you credit if that's what the article actually said. Let me copy the entire quote since you clearly didn't read it:

"As long as the user grants permission for the app to access a particular kind of information, such as photos with location data attached, those photos can begin to be siphoned to a remote server without the user's knowledge or permission."

I don't care what the reality of the situation is. I'm commenting on what was stated in the article, which reads to me like a giant "no **** sherlock".